# {{ ansible_managed }}

cluster_name = "{{ vault_cluster_name }}"
max_lease_ttl = "{{ vault_max_lease_ttl }}"
default_lease_ttl = "{{ vault_default_lease_ttl }}"

disable_clustering = "{{ vault_cluster_disable }}"
cluster_addr = "{{ vault_cluster_addr }}"
api_addr = "{{ vault_api_addr }}"

plugin_directory = "{{ vault_plugin_path }}"

{% for l in vault_tcp_listeners %}
listener "tcp" {
  address = "{{ l.vault_address }}:{{ l.vault_port }}"
  cluster_address = "{{ l.vault_cluster_address }}"
  {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%}
  proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}"
  {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%}
  proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}"
  {% endif -%}
  {% endif -%}
  {% if not (l.vault_tls_disable | bool) -%}
  {% if (l.vault_tls_client_ca_file is defined) -%}
  tls_client_ca_file="{{ l.vault_tls_certs_path }}/{{ l.vault_tls_client_ca_file }}"
  {% endif -%}
  tls_cert_file = "{{ l.vault_tls_certs_path }}/{{ l.vault_tls_cert_file }}"
  tls_key_file = "{{ l.vault_tls_private_path }}/{{ l.vault_tls_key_file }}"
  tls_min_version  = "{{ l.vault_tls_min_version }}"
  {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%}
  tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}"
  {% endif -%}
  {% if (l.vault_tls_require_and_verify_client_cert | bool) -%}
  tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}"
  {% endif -%}
  {% if (l.vault_tls_disable_client_certs | bool) -%}
  tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}"
  {% endif -%}
  {% endif -%}
  tls_disable = "{{ l.vault_tls_disable | bool | lower }}"
  {% if (l.vault_x_forwarded_for_authorized_addrs is defined and l.vault_x_forwarded_for_authorized_addrs) -%}
  x_forwarded_for_authorized_addrs = "{{ l.vault_x_forwarded_for_authorized_addrs }}"
  {% if (l.vault_x_forwarded_for_hop_skips is defined) -%}
  x_forwarded_for_hop_skips = "{{ l.vault_x_forwarded_for_hop_skips }}"
  {% endif -%}
  {% if (l.vault_x_forwarded_for_reject_not_authorized is defined) -%}
  x_forwarded_for_reject_not_authorized = "{{ l.vault_x_forwarded_for_reject_not_authorized | bool | lower }}"
  {% endif -%}
  {% if (l.vault_x_forwarded_for_reject_not_present is defined) -%}
  x_forwarded_for_reject_not_present = "{{ l.vault_x_forwarded_for_reject_not_present | bool | lower }}"
  {% endif -%}
  {% endif -%}
  {% if (vault_unauthenticated_metrics_access | bool) -%}
  telemetry {
    unauthenticated_metrics_access = "true"
  }
  {% endif %}
}
{% endfor %}

{% if (vault_listener_localhost_enable | bool) -%}
listener "tcp" {
  address = "127.0.0.1:{{ vault_port }}"
  cluster_address = "127.0.0.1:8201"
  tls_disable = "true"
}
{% endif -%}

{#
  Select which storage backend you want generated and placed
  in the vault configuration file.
#}
{% if vault_backend == 'consul' -%}
  {% include vault_backend_consul with context -%}
{% elif vault_backend == 'etcd' -%}
  {% include vault_backend_etcd with context -%}
{% elif vault_backend == 'file' -%}
  {% include vault_backend_file with context -%}
{% elif vault_backend == 's3' -%}
  {% include vault_backend_s3 with context -%}
{% elif vault_backend == 'dynamodb' -%}
  {% include vault_backend_dynamodb with context -%}
{% elif vault_backend == 'mysql' -%}
  {% include vault_backend_mysql with context -%}
{% elif vault_backend == 'gcs' -%}
  {% include vault_backend_gcs with context -%}
{% elif vault_backend == 'raft' -%}
  {% include vault_backend_raft with context -%}
{% endif %}

{% if vault_service_registration_consul_enable -%}
  {% include vault_service_registration_consul_template with context -%}
{% endif %}
{% if vault_service_registration_kubernetes_enable -%}
  {% include vault_service_registration_kubernetes_template with context -%}
{% endif %}

{% if vault_ui -%}
ui = {{ vault_ui | bool | lower }}
{% endif %}

{% if vault_entropy_seal | bool -%}
  {% include 'vault_entropy_seal.j2' with context %}
{% endif %}

{% if vault_enterprise_premium_hsm | bool -%}
  {% include vault_backend_seal with context %}
{% endif %}

{% if vault_gkms | bool -%}
  {% include vault_backend_gkms with context %}
{% endif %}

{% if vault_ocikms | bool -%}
  {% include vault_ocikms_backend with context %}
{% endif %}

{% if vault_telemetry_enabled | bool -%}
telemetry {
  {% if vault_statsite_address is defined %}
  statsite_address = "{{vault_statsite_address}}"
  {% endif -%}
  {% if vault_statsd_address is defined %}
  statsd_address = "{{vault_statsd_address}}"
  {% endif -%}
  {% if vault_prometheus_retention_time is defined %}
  prometheus_retention_time = "{{ vault_prometheus_retention_time }}"
  {% endif -%}
  {% if vault_telemetry_disable_hostname is defined %}
  disable_hostname = {{vault_telemetry_disable_hostname | bool | lower }}
  {% endif -%}
  {% if vault_telemetry_usage_gauge_period is defined %}
  usage_gauge_period = "{{ vault_telemetry_usage_gauge_period }}"
  {% endif -%}
}
{% endif -%}

{% if vault_configure_enterprise_license | bool -%}
license_path = "{{ vault_license_path }}"
{% endif -%}

{% if vault_custom_configuration is defined -%}
{{ vault_custom_configuration }}
{% endif -%}
